Hi,
I wonder what's the right way to set Postgres search_path using user input,
without compromising security due to SQL injection.
Say we have a request with many schema names as params and we have to set
the schema path:
params[:schema_names] = ['foo', 'bar']
And we need:
"SET search_path = foo, bar"
Taking a look at adapters/shared/postgres.rb#893, I can think of something
like this:
clean_paths = params[:schema_names].map { |s| "\"#{s.gsub('"', '""')}\""
}.join(',')
DB.run("SET search_path = #{clean_paths}")
But I'm not sure if that's all we need to avoid any risk.
¿Any thoughts?
Best regards
--
You received this message because you are subscribed to the Google Groups
"sequel-talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at https://groups.google.com/group/sequel-talk.
For more options, visit https://groups.google.com/d/optout.
